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CVE CVE-2022-26527 

Title Realtek Linux/Android Bluetooth Mesh SDK — An Out-of-bound 
Write Due to Inconsistent SegN in Mesh Transport Layer 

Description | In Realtek Android Bluetooth Mesh SDK, an out-of-bound write 
vulnerability can be triggered by sending a series of segmented 
packets with inconsistent SegN. SegN is a lower transport layer field 
that indicates the last segment number. When received first segmented 
packet, Realtek Android Bluetooth Mesh SDK will allocate a buffer to 
cache the remaining segmented packets. The size of buffer is (SegN + 
1) * single_payload_size, where SegN is parsed from the first 
segmented packet, and single payload_size is 8 or 12, depending on 
the type of packet. The mesh sdk then con eceive the 
remaining segmented packets, copie he allocated buffer. 
Whether the reception is comp is determined by comparing 
received packets and SegN: wer N used for detecting the 
completion of reception is pa e currently received packet, 
rather than the first seg t. If the first SegN is smaller than 
the subsequent SegN, out- write will occur during packet 
caching. 

Severity Medium 

CVSSv3 Base score 
CVSS:3.1 sH/PR:N/UI:N/S:U/C:N/LN/A:H/E:U/RL:O/RC:C 

Vulnerability | Denial of Ser 

Type 

CWE CWE-120 : Buffer Copy without Checking Size of Input (‘Classic 
Buffer Overflow') The program copies an input buffer to an output 
buffer without verifying that the size of the input buffer is less than the 
size of the output buffer, leading to a buffer overflow. 

Affected 8723DS,8821CS, 8723FS 

Chipsets 

Affected Older than Mesh SDK v4.17-4.17-20220127 

Software 

Versions 
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